The Hacker News — Cyber Security, Hacking, Technology News

A new disk wiping malware has been uncovered targeting a petroleum company in Europe, which is quite similar to the mysterious disk wiper malware Shamoon that wiped data from 35,000 computers at Saudi Arabia's national oil company in 2012.

Disk wiping malware has the ability to cripple any organization by permanently wiping out data from all hard drive and external storage on a targeted machine, causing great financial and reputational damage.

Security researchers from Moscow-based antivirus provider Kaspersky Lab discovered the new wiper StoneDrill while researching last November's re-emergence of Shamoon malware (Shamoon 2.0) attacks – two attacks occurred in November and one in late January.

Shamoon 2.0 is the more advanced version of Shamoon malware that reportedly hit 15 government agencies and organizations across the world, wipes data and takes control of the computer’s boot record, preventing the computers from being turned back on.

Meanwhile, Kaspersky researchers found that the newly discovered StoneDrill wiper malware was built in a similar "style" to Shamoon 2.0, but did not share the exact same code base.

"The discovery of the StoneDrill wiper in Europe is a significant sign that the group is expanding its destructive attacks outside the Middle East," Kaspersky researchers say in a blog post. "The target for the attack appears to be a large corporation with a wide area of activity in the petrochemical sector, with no apparent connection or interest in Saudi Arabia."

Researchers also noticed that the samples of Shamoon 2.0 and StoneDrill were also uploaded multiple times to online multi-scanner antivirus engines from Saudi Arabia last November.

Here's How StoneDrill Malware Works:

StoneDrill has been designed to as a service and target all systems connected within an organization to a Windows domain. In order to spread itself, the malware relies on a list of hard coded, previously stolen usernames and passwords belonging to administrators of the targeted domain.

New Evasion Techniques

StoneDrill features an impressive ability to evade detection and avoid sandbox execution. Unlike Shamoon, StoneDrill doesn't make use of disk drivers during installation.

Instead, StoneDrill relies on memory injection of the data wiping module into the victim's preferred browser.

StoneDrill also makes use of Visual Basic Scripts to run self-delete scripts, while Shamoon did not use any external scripts.

Backdoor Ability

Like Shamoon, StoneDrill also includes backdoor functions that are used for espionage operations, with screenshot and upload capabilities.

Kaspersky researchers identified at least four command-and-control (C&C) servers that the attackers used to spy on and steal data from an unknown number of targets.

Furthermore, StoneDrill uses command and control communications to interact with the malware instead of using a "kill time" as in the Shamoon attacks analyzed in January 2017 that do not implement any C&C communication.

Ransomware Component

Besides wiping functionality, the new malware also includes a ransomware component.

However, this feature is currently inactive but attackers can use leverage this part of the platform in future attacks to hold victims hostage for financial or idealistic gain.

Like Shamoon 2.0, StoneDrill was reportedly compiled in October and November 2016.

Although StoneDrill mostly targets organizations in Saudi Arabia, Kaspersky researchers discovered the malware victims in Europe as well, meaning that the attackers might be widening their campaign.

For more technical details about the StoneDrill and Shamoon 2.0 attacks, you can head on to Kaspersky's official blog.

Saudi Arabia's national oil company "Aramco" is the country’s largest oil production facility and is a significant exporter in the Organization of the Petroleum Exporting Countries. They said that a cyber attack against it in August which damaged some 30,000 computers was aimed at stopping oil and gas production at the biggest OPEC exporter.

The interior ministry said it was carried out by organised hackers from several different foreign countries and Aramco employees and contractors were not involved.

“The main target in this attack was to stop the flow of oil and gas to local and international markets and thank God they were not able to achieve their goals,” Abdullah al-Saadan, Aramco’s vice president for corporate planning, said on Al Ekhbariya television.

“Not a drop of oil was lost and the company was able to restore productivity in record time,” he added. The hackers used several methods to hide their location

The attack used a computer virus known as Shamoon, spread through Aramco’s network and wiped computers’ hard drives clean. Aramco said damage was limited to office computers and did not affect systems software that might harm technical operations.

Later, Hacker group called Cutting Sword of Justice claimed responsibility for the attack. A posting on the website of Cutting Sword of Justice a day before the attack accused Saudi Arabia of crimes and atrocities in countries that include Bahrain and Syria.